secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

`report-uri` sample rate

Open jacobbednarz opened this issue 8 years ago • 4 comments

One thing about CSP that I've always found extremely dangerous is it's ability to generate an enormous amount of traffic for a reporting endpoint if you hit browser bugs or use a misconfigured policy. This was a very real issue for us and something we've mitigated using a patch to only send a percentage of the reports to the reporting endpoint. We tune this number up and down based on the risk when we roll out an updated policy.

My question to the other users of secureheaders is whether or not this configuration option would be valuable to you? If so, I'm happy to open a PR with our base implementation and we can expand on it from there. To give you a bit of an idea around the implementation:

# initializer
config.csp_report_only = {
  # .. snip
  report_uri: %w(https://report-uri.io/example-csp-report-only)
  sample_rate: 0.3 # only send 30% of violations
}

The above configuration would then result in the report-uri directive for the policy only being appended 30% of the time and the remaining 70% would not have the report-uri directive at all.

jacobbednarz avatar Jan 14 '18 21:01 jacobbednarz

I vaguely recall implementing something like this when all values accepted procs so it would be valuable to past me.

oreoshake avatar Jan 16 '18 18:01 oreoshake

I think this would be a welcomed addition that I am just researching how to accomplish

ghepting avatar Nov 14 '18 21:11 ghepting

Both us and GitHub are now running 5.2 which supports CSP out of the box. I know we have replaced majority of secure_headers with framework defaults (@oreoshake will have to yay/nay for GitHub) so I probably won't be adding this seeing how we don't really use it anymore.

In rails 5.2 we handle the sampling in the initializer

Rails.application.config.content_security_policy do |policy|
  # .. snip
  policy.report_uri(proc { "https://collector" if Random.rand(100) < 2 })
end

This doesn't work before 5.2.2 though as we had to file rails/rails#34200 in order to have proc work with the CSP methods.

jacobbednarz avatar Nov 14 '18 23:11 jacobbednarz

(@oreoshake will have to yay/nay for GitHub)

Nay but it's certainly on our backlog. I have been trying to pass ownership of this repo on to someone else but I plan on archiving this repo in the not to far future. I hope to see someone fork this project and become the new home.

This library still has value for out of date applications or non-rails applications, neither of which I support anymore. I have a strong policy against maintaining code you don't use and soon I won't be using secure_headers.

oreoshake avatar Nov 14 '18 23:11 oreoshake